Security testing is basically a type of software testing thats done to ensure that system and application is secured. It reveals flaw in the security mechanism of an information system that protect data and maintain functionality as intended.
Areas in Security testing
:- You have to focus on following areas in security testing.
1. Network Security:- While performing network security user usually look for the vulnerabilities in the network infrastructure.
2. System Software Security:- While performing System Software Security user evaluate flaws in the various software on which the application depends on.
3. Client- side application security:- While performing Client- side application security we make sure that the client can not be influenced or manipulated.
4. Server-side application security:- While performing Server-side application security we make sure that the server code and its technologies are durable enough to defend any type of invasion .
Attributes of the security testing:-
Classes of Threats:-
1.SQL Injection:- SQL injection are the most common techniques critical attack used by attacker. In this attacker inject crafted sql queries or part of sql statement into an entry field and get the critical information from the server database.
2. Password cracking :- If username or password is stored in cookies without encrypting, attacker can use different methods to steal the cookies and then steal information stored in the cookies like username and password.
3. URL manipulation through HTTP GET methods:- This process involves of manipulating the website URL query strings & capture of the important information.This happens when the application uses the HTTP GET method via HTTP GET request user information is passed to server for authentication or fetching data. Attacker can manipulate every input variable passed from this GET request to server in order to get the required information or to corrupt the data.
4. Cross Site Scripting (XSS):- This method involves to execute malicious script or URL on victims browser. It enables attackers to inject client-side script into Web pages viewed by other users and trick a user into clicking on that URL.Once executed by the other users browser, this code could then perform actions such as completely changing the behavior of the website, stealing personal data, or performing actions on behalf of the user.
5. Data Manipulation:- In data manipulation, a hacker manipulate data used by a website in order to gain some advantage. Hackers many times gain access to HTML pages and change them to be satirical or offensive.
6.Identity Spoofing:- This involves hacker uses the credentials of a authorized user or device to launch attacks against network hosts, steal data or bypass access controls. to prevent this attack you requires IT-infrastructure and network-level mitigation.
Example Of a Basic Security Test Scenario:-
- Log in to the web application.
- Log out of the web application.
- Click the BACK button of the browser (Check if you are asked to log in again or It showing you as a logged-in)